Secrets in the Cloud - files. · PDF file spring.application.name + user id (e.g. IP or MAC...

Click here to load reader

  • date post

    17-Oct-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Secrets in the Cloud - files. · PDF file spring.application.name + user id (e.g. IP or MAC...

  • Dominik Schadow bridgingIT

    Secrets in the Cloud

    JAX 2017

  • spring: datasource: username: myDatabaseUser password: mySuperSecretDatabasePassword

  • ID USERNAME PASSWORD SECRET_ID SECRET_DATA

    1001 Arthur kvgkIu7ZuPIdK9G7WUA duTvd9TinwRlvA6foux mgxMZwUsPUdW6

    42 Secret

    1002 Zaphod wC28772M7AYVwLe2BOu dFl8VBo59KS5H1MbY9i riZpQhP6KCd33

    42 Secret

    1003 Slarti eHkuCs817pYySnk0aKl zDeZDCSiUSedCOABqcE sRVYzS1Uc8RzK

    42 Secret

    1004 Ford 3kQkFnjyt008yrIjnjf tZewS6j8yKIbywJYzvs 3HOGqtfYcAVV0

    42 Secret

  • DEV PROD

    App

  • Store technical

    and personal secrets securely

    in the cloud

  • Technical Credentials

  • Embedded Configuration

  • com.github.ulisesbocchio jasypt-spring-boot-starter 1.12

  • spring: datasource: username: myDatabaseUser password: ENC(vvnkG2pj//Jd1vXe7YtuLvyFCtKBA+CVOYAT9qwfB4yuv4jngb6r/g==)

  • jasypt.encryptor.password

    docker run -e jasypt.encryptor.password=sample-password -p 8080:8080 -t dschadow/sample

    System property Command line argument Environment variable

  • Better than before, but we are not there yet…

  • External Configuration

  • App

    Config Server

    Plain (git, svn)

    Jasypt

    Encrypted

    Vault

  • Config Server Cryptography

    Properties starting with {cipher} will be decrypted before returned to client

  • # requires key # alternative: environment variable ENCRYPT_KEY encrypt: key: mySuperSecretKey

    Symmetric Encryption

  • # requires keystore or pem file encrypt: keyStore: location: classpath:/server.jks password: letmein alias: mytestkey secret: changeme

    Asymmetric Encryption

  • Endpoints must be secured

  • spring: datasource: name: config-client-db username: config-client-db-user password: '{cipher} AQAPseaUfV+p34giF9jspUa475vKWV3bLwJh9sL2Gco8xB0e4GG 0z24LRIVXz5SKtESd+t9mFFkfPxJ/SgxPNOgAl+naZSay088bug uJlpnYNHkNDafpoJmLGdeWq7ZTkdIeoCXpZWIioxz5e3GfWudsM jmcJ6smpq6J63OQkmHy6Z00av7kIKscNZksDDTikeKX02mnpGRe lBZfMYqsMF96v7o7tuAT15tTR1v6SHrUpJ83hSy8GgtWRR6egZa Tu8sYzJdkpjOmUMGXNI1flBvFdkWNt78BjzB5Lm4IiXINQFw6SO bcTCsUv3nQbFOELVqg9ajVHrbKi3oaGwcbgpYR3VGgBzAgX/B/T oS/WBRLtRViSXTANE9iCvqArik4Ynfti6KKROBVk9MFe8qMEiV'

  • decryption failure

  • Using Multiple Keys

    spring: datasource: password: '{cipher}{key:myFirstKey}AQUfV+...'

    Select existing key with {key:name} in properties file

  • Demo

  • „… centrally store, secure, and tightly control access to secrets across

    distributed infrastructure, applications, and humans.“

  • Internal key encrypts all data with AES

    This key never leaves the system

    Data is Always Encrypted

    High availability

    Configured storage backend never sees plain text

    File, Amazon DynamoDB, Consul, …

  • Secret Storage

    Store existing secrets

    Dynamically create new secrets

    Lease time for new secrets, automatic revocation

    Access control policies for secrets

  • Audit Logs

    Not active by default

    Detailed audit log of all authenticated client interaction

    Trace lifetime and origin of any secret

    Hashes sensitive information with HMAC-SHA256

  • Accessible via HTTP API or CLI

  • Unsealing requires configured number of master keys

  • vault server -config vault.conf

    vault init -key-shares=5 -key-threshold=2

    Unseal Key 1: Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Unseal Key 2: T00pjFgitbcy+JKOGI6DFgW/0jBdyrVriLdGu7PENbsC Unseal Key 3: YCOKtRUITlH3h155P5LM+2zLbFgIe4vwrOIhO7OWHqED Unseal Key 4: rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Unseal Key 5: glxtI6D0YjNfnsB97dp1owHoxTPt8A+HdAdoFrNh5P0F Initial Root Token: efe88b79-cf8b-825a-0f6f-ef1ca142782b

    export VAULT_ADDR=http://127.0.0.1:8200

    Shamir's Secret Sharing

    Only visible after initialization

    DEMO!

  • vault unseal Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 87f350d5-2a25-a821-dc7f-2962fc49fe03

    vault unseal rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce:

  • Authenticated Access Required

    Token - AppId - AppRole - TLS Certificate - AWS - GitHub - …

    static

    spring.application.name +

    user id (e.g. IP or MAC address)

    machine authentication role id + secret id

    cryptographically signed metadata of

    EC2 instance

    SSL/TLS client certificates

    GitHub access token

  • Path Based Secret Storage

    vault [ACTION] secret/spring-config

    mount point application

  • Each ‚User‘ is Assigned a Policy

    Policies use path based matching to apply rule

    Policy may constrain actions and paths

  • path "secret/*" { policy = "write" }

    path "auth/token/lookup-self" { policy = "read" }

  • CLI export VAULT_TOKEN

    = efe88b79-cf8b-825a-0f6f-ef1ca142782b

    HTTP API X-Vault-Token

  • vault write secret/spring-config db.password=config-client-db-password

    key/value format (generic backend)

  • Spring Cloud Vault

    /secret/{application}/{profile} /secret/{application} /secret/{defaultContext}/{profile} /secret/{defaultContext}

    Secrets are picked up during application startup

    Path based on application name and active contexts

  • Reading and Writing Secrets

  • Actuator Health Endpoint

  • Demo

  • Personal Credentials

  • API for Secret Management

    VaultTemplate to read, write, list and delete secrets

    vaultTemplate.read(PATH);

    Similar to RestTemplate

  • Demo

  • We have created another system to monitor and maintain…

  • AWS Key Management Service (KMS) Master key to protect all keys

    Service for storing encryption keys

    Supporting cryptographic operations with these keys

    Access control and auditing functionality

  • Key Encryption Key (a.k.a. master key)

    Data Encryption

    Key 1

    Data Encryption

    Key 2

    Data Encryption

    Key n

    generate decrypt

    AWS KMS

    Storage (encrypted data encryption key)

  • Microsoft Azure 
 Key Vault

    IBM Bluemix 
 Key Protect

  • Summary Multiple options to protect sensitive data exist

    Keep it as simple as possible

    Jasypt for simple applications

    Config Server cipher for distributed applications

    Vault when required

    Consider cloud provider services

  • Demo Project
 https://github.com/dschadow/CloudSecurity AWS KMS 
 https://aws.amazon.com/de/kms Jasypt integration for Spring boot 
 https://github.com/ulisesbocchio/jasypt-spring-boot Spring Cloud 
 http://projects.spring.io/spring-cloud Vault
 https://www.vaultproject.io Pictures 
 http://www.dreamstime.com

    Marienstr. 17 
 70178 Stuttgart

    [email protected] 
 www.bridging-it.de

    Blog blog.dominikschadow.de 
 Twitter @dschadow

    mailto:[email protected]?subject= http://www.bridging-it.de http://blog.xml-sicherheit.de